Domain 1: Security and Risk Management Flashcards
Confidentiality
Seeks to prevent the unauthorized disclosure of information: it keeps data secret.
Integrity
Seeks to prevent unauthorized modification of information. In other words, seeks to prevent unauthorized write access.
Availability
Ensures that information is available when needed.
Subject
An active entity on an information system.
Object
A passive data file.
Annualized Loss Expectancy
The cost of loss due to a risk over a year.
Threat
A potentially negative occurrence.
Vulnerability
A weakness in a system.
Risk
A matched threat and vulnerability.
Safeguard
A measure taken to reduce risk.
Total Cost of Ownership
The cost of a safeguard.
Return on Investment
Money saved by deploying a safeguard.
Disclosure, alteration and destruction (DAD)
Opposite of CIA.
2 types of integrity?
Data integrity and system integrity
Data integrity
Seeks to prevent unauthorized modification of information.
System integrity
Seeks to prevent unauthorized modification of a system.
Disclosure
Unauthorized release of information.
Alteration
Unauthorized modification of data.
Destruction
Making systems or data unavailable.
AAA
Authentication, Authorization and Accountability
Identity
A claim of who you are. By itself it is weak because there is no proof.
Authentication
Proving an identity claim.
Authorization
Describes the actions you can perform on a system once you have been identified and authenticated.
Accountability
Holds users responsible for their actions.
Non-repudiation
Means a user cannot deny having performed a transaction.
Non-repudiation
Combines authentication and integrity. Both of these are required before you can have this.
Least privilege
Means users should be granted the minimum amount of access required to do their jobs.
Need to know
More granular than least privilege: the user must need to know that specific piece of information before accessing it.
Examples of subjects
User or computer program.
Examples of objects
Documents, database tables, text files, executable file for a computer program, etc.
Defense-in-depth
Applies multiple safeguards (or controls) to protect an asset.
Due care
doing what a reasonable person would do.
Due diligence
The management of du care.
Due care and due diligence are often confused. Think of due diligence as a step beyond due care. Due care is informal, due diligence follows a process.
n/a
Example of due care
Expecting your staff to patch their systems.
Example of due diligence
Verifying that your staff has patched their systems.
Gross negligence
Opposite of due care.
Three major systems of law.
Civil, common, and religious.
Civil law
Type of law that is employed by many countries throughout the world.
Primary difference between civil law and common law
In civil law judicial precedents and particular case rulings do not carry the weight they do under common law.
Common law
The legal system used in the US, Canada, UK and most former British colonies.
Religious law
Religious doctrine or interpretation which servers as a source of legal understanding and statutes.
Sharia
Term used for Islamic law - uses Qur’an and Hadith as its foundation.
Customary law
Refers to those customs or practices that are so commonly accepted by a group that the custom is treated as a law.
The concept of “best practices” is closely associated with Customary law.
n/a
3 branches of common law
Criminal, Civil and Administrative
Criminal Law
Pertains to those laws where the victim can be seen as society itself. Primary focus is punishment and deterrence.
Goal of criminal law
To promote and maintain an orderly and law abiding citizenry.
Civil Law (as a branch of common law)
Pertains to cases where the victim is an individual, group or organization. Primary focus is compensation for the victim rather than punishment and deterrence.
Types of financial damages
Statutory, Compensatory and Punitive
Statutory damages
Those prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury.
Compensatory damages
Purpose is to provide the victim with a financial award in effort to compensate for the loss or injury incurrred as a direct result of the wrongdoing.
Punitive damages
Purpose is to punish an individual or organization. These damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory or statutory damages alone would not act as a deterrent.
Administrative law (regulatory law)
Law enacted by government agencies.
Examples of administrative law
FCC regulations, HIPAA Security mandates, FDA regulations and FAA regulations.
Prudent man rule
Another name for due care.
Types of evidence
Real, Direct, Circumstantial, Corroborative and Hearsay
Real Evidence
Consists of tangible or physical objects.
Examples of real evidence
Hard drives, DVDs, USB drives or printed business records.
Direct Evidence
Testimony provided by a witness regarding what the witness actually experienced with his/her five senses.
Circumstantial Evidence
Serves to establish the circumstances related to particular points or even other evidence.
Example showing difference between direct and circumstantial evidence
If a witness testifies that she saw the defendant create and distribute malware this would be direct evidence. If forensics of the defendant’s computer revealed the existence of source code for malware, this would constitute circumstantial evidence.
Corroborative Evidence
Provides additional support for a fact that might have been called in to question. This does not establish a particular fact on its own.
Hearsay
Second-hand evidence. Generally considered inadmissible in court.
Business and computer generated records are generally considered hearsay evidence, but case law and updates to the Federal rules of evidence have established exceptions to this.
n/a
Five desirable criteria for evidence.
Relevant, authentic, accurate, complete and convincing
Best evidence rule
courts prefer the best evidence possible - original documents preferred over copies, conclusive tangible objects preferred over oral testimony. Recall the five desirable criteria for evidence.
Secondary evidence
Class of evidence common in cases involving computers. Consists of copies of original documents and oral descriptions.
Rule 1001 of the US Federal Rules of Evidence
Can allow for readable reports of data contained on a computer to be considered original as opposed to secondary evidence.
Fourth amendment
Protects citizens from unreasonable search and seizure by the government.
Exception to requirement for search warrant in computer crimes.
Exigent circumstances in which there is an immediate threat to human life or evidence being destroyed.
Search warrants only apply to law enforcement and those who are acting under the color of law enforcement.
n/a
If private citizens carry out actions or investigations on behalf of law enforcement these individuals are acting under the color of law and can be considered agents of law enforcement.
n/a
Entrapment
When law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime.
Enticement
Differs from entrapment in that the person is determined to have already broken a law or is intent on doing so.
3 categories for computer crimes
Computer systems as targets
Computer systems as a tool to perpetrate the crime
Computer systems involved but incidental
Intellectual property
Refers to intangible property that resulted from a creative act.
Trademarks (TM or ®)
Purpose is to allow for the creation of a brand that distinguishes the source of products or services.
Servicemarks (SM)
Constitute a subset of brand recognition related intellectual property.
Patents
Provide a monopoly to the holder on the right to use, make, or sell an invention for a period of time in exchange for the holder’s making the invention public.
Typical length of a patent in US and Europe?
20 years
Copyright (©)
Represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works.
Typical length of a copyright in US
70 years after the death of the author.
If the work is a product of a corporation then the term lasts for 95 years after the first publication or 120 years after creation, whichever comes first.
First sale doctrine
Allows a legitimate purchaser of a copyrighted material to sell it to another person.
Fair use doctrine
Allows someone to duplicate copyrighted material without requiring the payment, consent, or even knowledge of the copyright holder.
Software licenses
Agreement between provider of software and the consumer.
Trade secrets
Business-proprietary information that is important to an organization’s ability to compete.
Well known intellectual property attacks
Software piracy and copyright infringement.
Trademark dilution
Represents an unintentional attack in which the trademarked brand name is used to refer to the larger general class of products of which the brand is a specific instance. Example: Using Kleenex to refer to all facial tissue regardless of brand
Cybersquatting
Refers to an individual or organization registering or using, in bad faith, a domain name that is associated with another person’s trademark.
Typosquatting
Refers to a specific type of cybersquatting in which the cybersquatter registers likely misspellings or mistyping of legitimate domain trademarks.
Privacy
The protection of the confidentiality of personal information.
EU Data Protection Directive
Allows for the free flow of information while still maintaining consistent protections of each member nation’s citizens’ data.
Principles of EU Data Protection Directive
- Notifying individuals how their personal data is collected and used.
- Allowing individuals to opt out of sharing their personal data with third parties.
- Requiring individuals to opt into sharing the most sensitive personal data.
- Providing reasonable protections for personal data.
Organization for Economic Cooperation and Development (OECD)
- Though often considered excusively European, consists of 30 member nations from around the world.
- Provides a forum in which countries can focus on issues that impact the global economy.
OECD Guidelines on the protection of Privacy and Transborder Flows of Personal Data
Issues in 1980, sought to provide a basic framework for the protections that should be afforded personal data as it traverses the various world economies.
Eight driving principles regarding the privacy of personal data.
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
Collection Limitation Principle
Personal data collection should have limits, be obtained in a lawful manner, and, unless there is a compelling reason to the contrary, with the individual’s knowledge and approval.
Data Quality Principle
Personal data should be complete, accurate, and maintained in a fashion consistent with the purposes for the data collection.
Purpose Specification Principle
The purpose for the data collection should be known, and the subsequent use of the data should be limited to the purposes outlined at the time of collection.
Use Limitation Principle
Personal data should never be disclosed without either the consent of the individual or as the result of a legal requirement.
Security Safeguards Principle
Personal data should be reasonably protected against unauthorized use, disclosure, or alteration.
Openness Principle
The general policy concerning collection and use of personal data should be readily available.
Individual Participation Principle
Individuals should be:
- Able to find out if an entity holds any of their personal data.
- Made aware of any personal data being held.
- Given a reason for any denials to account for personal data being held, and a process for challenging any denials
- Able to challenge the content of any personal data being held, and have a process for updating their personal data if found to be inaccurate or incomplete.
Accountability Principle
The entity using the personal data should be accountable for adhering to the principles above.
EU Data Protection Directive states that personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries outside of the EU unless the receiving country is perceived by the EU to adequately protect their data.
EU-US Safe Harbor was created because of this, to account for the US having less stringent privacy protections.
EU-US Safe Harbor
Framework that will give US based organizations the benefit of authorized data sharing with the EU.
Privacy Act of 1974
Created to codify protection of US citizens’ data that is being used by the federal government.
Council of Europe Convention on Cybercrime
Most significant progress toward international cooperation in computer crime policy. Focused on establishing standards in cybercrime policy to promote international cooperation during the investigation and prosecution of cybercrime. Signed by the 47 European members as well as US.
Coordinating Committee for Multilateral Export Controls (CoCom)
During the Cold War, this was a multinational agreement to not export certain technologies, which included encryption, to many communist countries.
Wassenaar Agreement
Post Cold War standard for export controls. Still included significant restrictions on the export of cryptographic algorithms and technologies to countries not included in the agreement.
